[keycloak-user] Kubernetes integration
Pedro Igor Silva
psilva at redhat.com
Tue Aug 7 07:59:55 EDT 2018
On Mon, Aug 6, 2018 at 6:02 PM, Fox, Kevin M <Kevin.Fox at pnnl.gov> wrote:
> Question regarding using KeyCloak and Kubernetes.
>
> Kubernetes only supports one ClientID. If you are supporting both the cli
> and the web ui, in Dex or Google you setup two clients, one for the
> website, and one for the cli. you mark the cli a Public Client, and you
> establish a trust between the website client and the cli. In either case
> then, the token passed to Kubernetes is for the same client.
>
> What is the recommended way of doing something like this with KeyCloak? I
> see a Public Client option, but I don't see a way to establish the trust
> between clients.
>
We have a token exchange [1] endpoint which can be used to exchange tokens
from one client to another.
The way Kubernetes supports OIDC is really tricky because API server
expects an ID Token and not a OAuth2 Access Token (with no support for
token introspection in case tokens are opaque and not JWTs). As you pointed
out, API server supports a single client id thus you would need the cli to
use the same client configured to API server or use token exchange.
[1]
https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange
>
> Thanks,
> Kevin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list